Don Meyer
2007-May-01 07:50 UTC
[Samba] Problem with Samba-3.0.25rc3 & idmap_ldap (winbind dumps core)
In an effort to improve my lot, I'm trying to move to a ldap backend for idmap synchronization when I deploy the new 3.0.25 version on my systems. In preparation for this, I've set up some test systems -- where I'm having some problems that I think others may be encountering (according to a few comments I've seen recently). In a nutshell, I believe I have set up my ldap services correctly -- largely following the ldap portion of the guide at: http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP At least according to phpldapadmin, I have a functioning master ldap service on one RHEL4 system and a replicating slave service established on a second RHEL4 system. I then install the samba-3.0.25rc3-5 packages, and alter my standard configuration according to the samba portion of the guide, taking into account the apparent changes needed due to the man pages for smb.conf & idmap_ldap. (Relevant configs attached below...) One step that I'm having a bit of a problem with, and I think it is contributing to the remainder of the problem below, is the entry of the credentials for the access to the ldap services. Several guides state that the proper method to store the credentials for your ldap access dn is to use smbpasswd: smbpasswd -w {password} However, this command complains: ERROR: 'ldap admin dn' not defined! Please check your smb.conf Only when you put the following line in smb.conf does smbpasswd allow you to store the password in secrets.tdb. At this point, I think that everything is ready. After firing up the upgraded smb & winbind services, I run through my function checklist: wbinfo -tm OK wbinfo -D ACES OK wbinfo -D EXTENSION OK wbinfo -u OK All this is looking good, but I don't see any activity on either ldap service. I don't really expect much, however, until I get to user enumeration -- the 'getent passwd' stage. When I issue my first 'getent passwd {user}' command, winbindd dumps core with the following log excerpt from log.winbindd-idmap: ------------------------------------------ [2007/04/30 12:44:04, 1] nsswitch/idmap.c:idmap_init(343) Initializing idmap domains [2007/04/30 12:44:04, 0] nsswitch/idmap_ldap.c:get_credentials(86) get_credentials: Unable to fetch auth credentials for cn=sambaadmin,dc=aces-web in ACES [2007/04/30 12:44:04, 1] nsswitch/idmap_ldap.c:idmap_ldap_db_init(805) idmap_ldap_db_init: Failed to get connection credentials (NT_STATUS_ACCESS_DENIED) [2007/04/30 12:44:04, 0] nsswitch/idmap.c:idmap_init(438) ERROR: Initialization failed for backend ldap (domain ACES), deferred! [2007/04/30 12:44:04, 0] lib/fault.c:fault_report(41) ==============================================================[2007/04/30 12:44:04, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 29969 (3.0.25rc3) Please read the Trouble-Shooting section of the Samba3-HOWTO [2007/04/30 12:44:04, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2007/04/30 12:44:04, 0] lib/fault.c:fault_report(45) ==============================================================[2007/04/30 12:44:04, 0] lib/util.c:smb_panic(1620) PANIC (pid 29969): internal error [2007/04/30 12:44:04, 0] lib/util.c:log_stack_trace(1724) BACKTRACE: 20 stack frames: #0 winbindd(log_stack_trace+0x2d) [0x23cc82] #1 winbindd(smb_panic+0x56) [0x23cd89] #2 winbindd [0x2294e5] #3 /lib/tls/libc.so.6 [0x414898] #4 winbindd [0x35ca8c] #5 winbindd(idmap_init+0xecc) [0x357078] #6 winbindd(idmap_sids_to_unixids+0x29) [0x358a78] #7 winbindd(idmap_sid_to_uid+0x68) [0x35bda6] #8 winbindd(winbindd_dual_sid2uid+0x12b) [0x1dde2b] #9 winbindd [0x1dc15d] #10 winbindd [0x1dceb9] #11 winbindd(winbindd_sid2uid_async+0x7d) [0x1ddcf6] #12 winbindd [0x1b1de5] #13 winbindd [0x1e0f3f] #14 winbindd [0x1dce07] #15 winbindd [0x1dc852] #16 winbindd [0x1af89c] #17 winbindd(main+0x779) [0x1b0d24] #18 /lib/tls/libc.so.6(__libc_start_main+0xd3) [0x401de3] #19 winbindd [0x1af351] [2007/04/30 12:44:04, 0] lib/fault.c:dump_core(181) dumping core in /var/log/samba/cores/winbindd ------------------------------------------ What I note in idmap_ldap.c is that the get_credentials function appears to be calling idmap_fetch_secret with some combination of the DOMAIN and 'ldap_user_dn'. However, smbpasswd appears to be fixated on the presence of the 'ldap admin dn' directive, leading me to believe that smbpasswd may be storing under a different key than the retrieval function is looking for... I traced the smbpasswd code back to param/loadparm.c, and everything keys to 'ldap_admin_dn', with no association with any domain value. Then I traced the secret retrieval process back to passdb/secrets.c, where I then traced the secrets_store_generic function back out to the 'net idmap secret' command. For others reference, to set the ldap_user_dn password for each defined domain, and for the idmap alloc config side, you use the following commands: net idmap secret <DOMAIN> <secret> net idmap secret alloc <secret> (Note: A little pointer dropped in the man page for idmap_ldap would have been quite helpful here...) Both of these were successful for me, so I went directly to restarting winbindd and retesting. Sure enough, we have another core dump as I issue the first getent passwd {user} command. The log excerpt from log.winbindd-idmap follows: ------------------------------------------------ [2007/05/01 02:02:47, 1] nsswitch/idmap.c:idmap_init(343) Initializing idmap domains [2007/05/01 02:02:47, 0] lib/fault.c:fault_report(41) ==============================================================[2007/05/01 02:02:47, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 10031 (3.0.25rc3) Please read the Trouble-Shooting section of the Samba3-HOWTO [2007/05/01 02:02:47, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2007/05/01 02:02:47, 0] lib/fault.c:fault_report(45) ==============================================================[2007/05/01 02:02:47, 0] lib/util.c:smb_panic(1620) PANIC (pid 10031): internal error [2007/05/01 02:02:47, 0] lib/util.c:log_stack_trace(1724) BACKTRACE: 20 stack frames: #0 winbindd(log_stack_trace+0x2d) [0xc9dc82] #1 winbindd(smb_panic+0x56) [0xc9dd89] #2 winbindd [0xc8a4e5] #3 /lib/tls/libc.so.6 [0x99f898] #4 winbindd [0xdbda8c] #5 winbindd(idmap_init+0xecc) [0xdb8078] #6 winbindd(idmap_sids_to_unixids+0x29) [0xdb9a78] #7 winbindd(idmap_sid_to_uid+0x68) [0xdbcda6] #8 winbindd(winbindd_dual_sid2uid+0x12b) [0xc3ee2b] #9 winbindd [0xc3d15d] #10 winbindd [0xc3deb9] #11 winbindd(winbindd_sid2uid_async+0x7d) [0xc3ecf6] #12 winbindd [0xc12de5] #13 winbindd [0xc41f3f] #14 winbindd [0xc3de07] #15 winbindd [0xc3d852] #16 winbindd [0xc1089c] #17 winbindd(main+0x779) [0xc11d24] #18 /lib/tls/libc.so.6(__libc_start_main+0xd3) [0x98cde3] #19 winbindd [0xc10351] [2007/05/01 02:02:47, 0] lib/fault.c:dump_core(181) dumping core in /var/log/samba/cores/winbindd ------------------------------------------------ I'm having trouble tracing this beyond the idmap_init function in nsswitch/idmap.c. If this points to a problem in samba, I hope this helps. On the other hand, if this is a problem in my setup, any pointers in the direction of fixing it would be greatly appreciated. -D Config details: smb.conf: (output from testparm) ----------------------------------- [global] workgroup = ACES realm = COLLEGE.ACESNET.UIUC.EDU netbios name = ACES-BETA-MAINT server string = %L (Samba v%v) security = ADS obey pam restrictions = Yes password server = college.acesnet.uiuc.edu username map = /etc/samba/smbusers client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No log file = /var/log/samba/%m.log max log size = 0 name resolve order = host lmhosts wins bcast deadtime = 15 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No dns proxy = No wins server = 128.174.5.30, 128.174.5.31 # the following line was added to satisfy smbpasswd... ldap admin dn = cn=sambaadmin,dc=aces-web idmap domains = ALLDOMAINS idmap alloc backend = ldap idmap uid = 10000-100000000 idmap gid = 10000-100000000 template shell = /bin/bash winbind cache time = 10 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap alloc config:range = 10000-100000000 idmap alloc config:ldap_url = ldap://ldap-master.aces-web:389/ idmap alloc config:ldap_user_dn = cn=sambaadmin,dc=aces-web idmap alloc config:ldap_base_dn = ou=idmap,dc=aces-web idmap config ALLDOMAINS:range = 10000-100000000 idmap config ALLDOMAINS:ldap_url = ldap://localhost:389/ idmap config ALLDOMAINS:ldap_user_dn = cn=sambaadmin,dc=aces-web idmap config ALLDOMAINS:ldap_base_dn = ou=idmap,dc=aces-web idmap config ALLDOMAINS:backend = ldap idmap config ALLDOMAINS:default = yes create mask = 0664 directory mask = 02775 inherit permissions = Yes inherit acls = Yes case sensitive = No ----------------------------------- Don Meyer <dlmeyer@uiuc.edu> Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety." -- Benjamin Franklin, 1759
idra@samba.org
2007-May-02 19:34 UTC
[Samba] Problem with Samba-3.0.25rc3 & idmap_ldap (winbind dumps core)
On Tue, May 01, 2007 at 02:49:10AM -0500, Don Meyer wrote: [...]> Then I traced the secret retrieval process back to passdb/secrets.c, > where I then traced the secrets_store_generic function back out to > the 'net idmap secret' command. For others reference, to set the > ldap_user_dn password for each defined domain, and for the idmap > alloc config side, you use the following commands: > > net idmap secret <DOMAIN> <secret> > net idmap secret alloc <secret> > > > (Note: A little pointer dropped in the man page for idmap_ldap would > have been quite helpful here...)There is a note in the man pages that say: NOTE In order to use authentication against ldap servers you may need to provide a DN and a password. To avoid exposing the password in plain text in the configuration file we store it into a security store. The "net idmap " command is used to store a secret for the DN specified in a specific idmap domain. From: http://www.samba.org/samba/docs/man/manpages-3/idmap_ldap.8.html [..]> I'm having trouble tracing this beyond the idmap_init function in > nsswitch/idmap.c. > > > If this points to a problem in samba, I hope this helps. On the > other hand, if this is a problem in my setup, any pointers in the > direction of fixing it would be greatly appreciated.A core dump is definitively an issue, I will try to reproduce and fix it today on my train trip or at worst tomorrow. Simo. -- Simo Sorce idra@samba.org ------------------------------- Samba Team http://www.samba.org
Apparently Analagous Threads
- Group permission problems with winbind & NFS
- Samba 3.0.33/3.2.15 AD joined slow initial connect with LDAP backend
- Possible problem w/ 'idmap restore' under 3.0.25rc3
- Winbind problem w/ ADS domain local group and other-domain members
- RPC fault code DCERPC_FAULT_OP_RNG_ERROR